Grandoreiro malware: what it is, how it works and how to prevent it | Malware spotlight
Introduction
One of the few things that attracts the attention of malware researchers more than novel types of malware is malware that expands its attack horizon to new areas of the globe. Couple this with the use of a relatively unfamiliar method to steal from online banking customers and you have yourself a malware that you are bound to hear about, to say the least.
This article will detail Grandoreiro. We’ll explore what it is, how it works and how you can prevent yourself from becoming another statistic in the fight against malware.
What is Grandoreiro?
Written in the Delphi programming language, Grandoreiro is a remote overlay banking Trojan that has earned a name for itself for its ability to steal from online banking customers and has been active since at least 2017.
Remote overlay banking Trojans are designed to allow attackers to overtake devices. This often involves displaying overlay images (full screen) on victim’s computers when they access their banking account online. While this type of banking Trojan does not get much coverage in malware news, remote overlay banking Trojans can be quite devastating, as they allow attackers to fraudulently transfer money from a victim’s online bank account to the attacker during the victim’s online banking session.
There is a wide variety of remote overlay banking Trojans out there today. Despite using similar code, they differ in their respective deployment methods and infection mechanisms.
In the case of Grandoreiro, whenever a user on an infected computer visits a targeted banking website, attackers will begin making fraudulent transfers out of the account that the user signed in to.
Attacks by this type of malware have been the scourge of online banking customers in Latin America since around 2014, and it is generally considered the top online banking (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/vC7REAFJz-8/